Embed Size (px)
Citation preview
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Managing Risk in New Computing ParadigmsApplying FISMA Standards and Guidelines to Cloud Computing
Workshop on Cloud ComputingSecurity and Compliance Challenges
June 11, 2009
Dr. Ron Ross
Computer Security DivisionInformation Technology Laboratory
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
Risk-Based Protection Strategy Enterprise missions and business processes drive security
requirements and associated safeguards and countermeasures for organizational information systems.
Highly flexible implementation; recognizing diversity in mission/ business processes and operational environments.
Senior leaders take ownership of their security plans including the safeguards/countermeasures for the information systems.
Senior leaders are both responsible and accountable for their information security decisions; understanding, acknowledging, and explicitly accepting resulting mission/business risk.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
External Service Providers Organizations are becoming increasingly reliant on information
system services provided by external service providers to carry out important missions and functions.
Organizations have varying degrees of control over external service providers.
Organizations must establish trust relationships with external service providers to ensure the necessary security controls are in place and are effective in their application.
Where control of external service providers is limited or infeasible, the organization factors that situation into its risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
The Need for Trust Relationships
Changing ways we are doing business…
Outsourcing
Service Oriented Architectures
Software as a Service / Cloud Computing
Business Partnerships
Information Sharing
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
Trust Relationships
Determining risk to the organization’s operations and assets, individuals, other
organizations, and the Nation; and the acceptability of such risk.
The objective is to achieve visibility into and understanding of prospective partner’s information security programs…establishing a trust relationship based on the trustworthiness of their information systems.
Organization One
INFORMATION SYSTEM
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Business / MissionInformation Flow
Security Information
Plan of Action and Milestones
Security Assessment Report
System Security Plan
Organization Two
INFORMATION SYSTEM
Determining risk to the organization’s operations and assets, individuals, other
organizations, and the Nation; and the acceptability of such risk.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Elements of TrustTrust among partners can be established by: Identifying the goals and objectives for the provision of services/information or
information sharing; Agreeing upon the risk from the operation and use of information systems
associated with the provision of services/information or information sharing; Agreeing upon the degree of trustworthiness (i.e., the security functionality and
assurance) needed for the information systems processing, storing, or transmitting shared information or providing services/information in order to adequately mitigate the identified risk;
Determining if the information systems providing services/information or involved in information sharing activities are worthy of being trusted; and
Providing ongoing monitoring and management oversight to ensure that the trust relationship is maintained.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
The Trust Continuum Trust relationships among partners can be viewed
as a continuum—ranging from a high degree of trust to little or no trust…
The degree of trust in the information systems supporting the partnership should be factored into risk decisions.
Trust ContinuumUntrusted Highly Trusted
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Information Security Programs
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments Certification and accreditation
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Risk Management Framework
Security Life CycleSP 800-39
Determine security control effectiveness(i.e., controls implemented correctly,
operating as intended, meeting security requirements for information system).
SP 800-53A
ASSESSSecurity Controls
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
FIPS 199 / SP 800-60
CATEGORIZE Information System
Starting Point
Continuously track changes to the information system that may affect
security controls and reassess control effectiveness.
SP 800-37 / SP 800-53A
MONITORSecurity State
SP 800-37
AUTHORIZE Information System
Determine risk to organizational operations and assets, individuals,
other organizations, and the Nation;if acceptable, authorize operation.
Implement security controls within enterprise architecture using sound
systems engineering practices; apply security configuration settings.
IMPLEMENT Security Controls
SP 800-70
FIPS 200 / SP 800-53
SELECT Security Controls
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]
Senior Information Security Researchers and Technical SupportMarianne Swanson Dr. Stu Katzke (301) 975-3293 (301) 975-4768 [email protected] [email protected]
Pat Toth Arnold Johnson(301) 975-5140 (301) 975-3247 [email protected] [email protected]
Matt Scholl Information and Feedback(301) 975-2941 Web: csrc.nist.gov/[email protected] Comments: [email protected]
